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(54) Cryptographic authorization with prioritized authentication 

(57) A system and associated method for authoriz- 
ing, or withholding authorization of, user access to a 
selected computer application or other resource, based 
on the user's response to one or more user authentica- 
tion tests. If the user satisfies one or more authentica- 
tion tests but satisfies less than all the tests, the system 
optionally allows the user access to a selected subset of 
the resource. Alternatively, the user loses access to a 
selected subset of the application for each test not sat- 
isfied by the user. An authentication test or its associ- 
ated weight may change at a selected time, and the 
selected time may be determined with reference to a 
time at which the resource changes- 
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Description 

Field of the Invention 

[0001] This invention relates to use of one or more 5 
authentication mechanisms in secure communications. 

Background of the Invention 

[0002] During the last decade of the Twentieth Cen- io 
tury, the Internet has become a vital communication 
medium for a variety of application domains, including 
simple e-mail, home banking, electronic trading of 
stocks, net-based telephonic communications and 
many other electronic commerce applications. Authenti- is 
cation of a user is becoming a key requirement in allow- 
ing or authorizing a legitimate user to execute the user's 
privileges in a particular network or sub-network. 
[0003] Presently, many user authentication mecha- 
nisms are available, including simple user name/pass- 20 
word, one-time password (e.g., S/Key), RSA-based 
digital signature authentication, Kerberos. challenge- 
and-response, and Secure Socket Layer SSL v3.0 with 
user/client authentication. Bruce Schneier, in Applied 
Cryptography. John Wiley & Sons, Inc., New York, Sec- 25 
ond Edition, 1996, pp. 34-74 and 566-572, discusses 
and characterizes several user and/or key authentica- 
tion tests that are often based on, or associated with, an 
underlying encryption procedure. 

[0004] One Interesting authentication scheme is the 30 
Sun Pluggable Authentication Mechanism (RAM), dis- 
cussed in more detail in the following, which facilitates 
integration of several authentication packages or tests 
without requiring change of the underlying application 
(e.g., login). Although a system such as RAM provides a 35 
framework for integration, such a system often deals 
with the plurality of authentication mechanisms as if all 
have the same cryptographic or authentication strength 
or priority. For example, one enterprise might require 
both Kerberos (relatively strong) and user password 40 
(relatively weak) to be used for user authentication. Use 
of several authentication modules can be accommo- 
dated within RAM, through the use of stacking. If the 
user fails to pass one of the authentication tests, among 
many that are applied in stacking, authentication is 4S 
denied, without indicating which of the many tests the 
user has failed to pass. RAM treats all authentication 
tests in an integrated package as equally strong and 
equally suitable. 

[0005] What is needed is a system that integrates 50 
one or more authentication tests but allows assignment 
of a priority or strength to each of such tests and allows 
authentication to be treated as a necessary, but not a 
sufficient, condition for user authorization. Preferably, 
where authentication tests are integrated, these tests 55 
should be executed based on an indicium that is a 
measure of priority and/or strength for each authentica- 
tion test. Preferably, the system should allow identifica- 



tion of, and take account of, which authentication test or 
tests the user has failed to pass and should grant or 
withhold access to selected subsets of a resource, 
depending upon which tests are passed. Preferably, the 
system should be flexible enough to allow assignment 
of different priorities and/or strengths to tests within an 
integrated authentication package, based on the appli- 
cation and the current circumstances. 

Summary of the Invention 

[0006] These needs are met by the invention, which 
provides a system that integrates one or more authenti- 
cation tests and allows assignment of arbitrary (and 
changeable) relative priority and/or relative strength to 
each of these tests. In one embodiment, the system 
allows an integrated electronic authentication system to 
accept physical objects, such as drivers licenses, birth 
certificates, passports, social security cards and the like 
for partial or full authentication of a user, although each 
of these documents is used for a different primary pur- 
pose, and the purposes seldom overiap. 
[0007] In a first embodiment, the system applies 
one or more authentication tests with increasing or dif- 
fering numerical priority or strength and grants access 
to a resource or selected subset thereof (which may be 
the empty set), depending upon which test or tests are 
satisfied. In another embodiment, the system withdraws 
access to a selected subset (which may be the empty 
set) of a resource for each authentication test the user 
fails to satisfy. 

[0008] The invention has the following advantages: 

(1) the invention strengthens an association or linkage 
between authentication and the authorization process; 

(2) the invention allows identification of which authenti- 
cation test(s) is being used; (3) the invention extends an 
integration procedure, such as PAM, without distorting 
the procedure; (4) the invention enhances total security 
of the authorization process; (5) the invention preserves 
and deals with authentication mechanisms based on 
their relative merits and can allocate relative priority 
based on relative cryptographic strength; and (6) the 
invention allows an entity to classify those with whom it 
deals (customers, suppliers, etc.) for authorization pur- 
poses. 

Brief Description of the Drawings 
[0009] 

Rgure 1 illustrates the architecture of a resource 
access system that requires user authentication. 
Figures 2A-2B and 3A-3B-3C are flow charts of 
procedures for practicing single-threshold and mul- 
tiple-threshold embodiments of the invention, 
respectively. 

Figures 4A-4B are a flow chart for practicing a "top 
down" embodiment of the invention. 
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Detailed Description of the Invention 

[0010] In the invention, user authentication is 
treated as a necessary, but not sufficient, condition for 
user authorization in this system. Authorization level 
varies fronn user to user, based on the user's role, group 
membership, privileges, past behavior and the like. If 
the user satisfies or passes all authentication tests, the 
user is allowed access to a maximal set, consistent with 
the user's status, of domains or privileges, if the user 
passes some, but not all, of the authentication tests, the 
user is allowed access to a selected subset of the max- 
imal domain, where the selected subset may be a 
proper subset or may be the maximal set and will vary 
according to the tests passed, or not passed. 
[0011] Strength of an authentication test can be 
objectively evaluated. For example, SSL v3.0 with 
authentication is believed by many to be a stronger 
authentication test than is Kerteros, discussed in Sch- 
neier, op cit, pp. 566-572; and Kerberos is considered to 
be a stronger test than a simple user/password test If 
these three authentication test are integrated, an 
assessment of authentication relative strength for use in 
the invention might run as follows. 



Authentication test 


Relative strength 


SSL v3.0 


1 


Kerberos 


2 


User/password 


3 



[0012] A weight Wj (0 < Wj < 1 ) may be assigned to 
each authentication test, with a higher weight being 
assigned to a test with higher relative strength. In one 
embodiment, relative priority of an authentication test is 
equated with the relative strength of a test. In another 
embodiment, relative priority is assigned to each of sev- 
eral tests, independently of their relative strengths, 
based on the circumstances in which the tests will be 
used in an integrated approach. 

[0013] The Pluggable Authentication Mechanism 
(PAM) is discussed in detail by Vipin Samar and Charles 
Lai in "Making Login Services Independent of Authenti- 
cation Technologies", presented at the Third ACM Con- 
ference on Computer and Communications Security, 
March 1996, is useful as a guide in implementing the 
invention. The Samar et al. article notes that most UNIX 
systems presently use a login procedure based on a 
modified Data Encryption Standard (DES) algorithm, 
which assumes that the password cannot be guessed 
and that the password does not pass over the commu- 
nications channel in cleartext. These assumptions are 
acceptable when communications occur only within a 
trusted network. However, an open network, such as an 
internet, requires use of more restrictive and stronger 



authentication mechanisms. Examples of these 
stronger mechanisms include Kerberos, RSA digital sig- 
nature, Diffie-Hellman, S/Key and other one-time pass- 
words, and challenge-and-response and smart card 

5 authentication systems. 

[0014] One goal of a PAM system is to requite a 
possibly-different methods of authentication, depending 
upon the application. For example, a site may require 
S/Key password authorization for telnetd access but 

10 allow console login access after presentation of a UNIX 
password. Another goal of a PAM system is a require- 
ment tat a user pass more than one authentication test, 
such as Kerberos and RSA digital signature tests, to 
obtain access to a particular resource or application. 

15 Another goal is that system-access services should not 
have to change when an underlying authentication 
mechanism changes. 

[0015] Core components of a suitable authentica- 
tion framework include: (1) one or more applications or 

20 resources, such as login, tetnetd and ftpd, to which a 
user seeks access; (2) an authentication mechanism 
library, such as a PAM Application Programming Inter- 
face (API) or library (the front end); and (3) specific 
authentication modules, such as Kerberos, S/Key and 

25 UNIX user password (the back end). Figure 1 illustrates 
a relationship between these three components. When 
a user seeks access to a particular application or 
resource, the application calls a PAM API, vyhich in turn 
calls one or more authentication modules that are 

30 required for access to that application. The appropriate 
authentication module(s), as determined by the API, 
is/are loaded and presented to the user. If the user 
responds correctly to the authentication test(s) in a 
PAM, access is granted. If the user responds incorrectly, 

35 access is denied and, optionally, the user is given 
another opportunity to respond correctly to the test(s). 
[0016] A resource access system may be divided 
into four areas of management functionality: authentica- 
tion, account, session and password. Authentication 

40 management authenticates the user and refreshes, 
upgrades or destroys the user credentials. Account 
management checks user account expiration and 
access hour restrictions, if any, and determines whether 
a user has access to the resource at that particular date 

45 and at that particular time. Session management is 
used for accounting and billing purposes and. option- 
ally, to determine the amount of time the user has had 
access to the resource in the current session (useful 
where the user's contact time is restricted). Password 

50 management is used to change the password from time 
to time. The PAM implements each of these four man- 
agement items as a separate, pluggable module. A par- 
ticular user may not need to be interrogated or 
monitored by all four modules. Alternatively the user's 

55 access request may be processed in parallel by two or 
more of the four modules. 

[0017] According to the invention, the authentica- 
tion system may allocate a strength and/or a priority to 
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each of several authentication mechanisms associated 
with a particular application or resource, may apply 
these mechanisms in a particular order, and/or may 
require that the user satisfy or pass at least a selected 
number of these tests in order to gain access to the 
application. Each associated authentication test may 

have an assigned weight value Wj (0 < Wj < 1 ; i = 1 1; 

I>1 ), which may increase with increasing strength or pri- 
ority for the associated test, and the system may assign 
to the user a "test score" 



TS= 52 Wj ATS(i), (1) 

i=1 

where ATS(i) = 1 if the user passes authentication test 
number i and ATS(i) = 0 otherwise. The system option- 
ally denies user access to the application unless the 
user's test score is at least equal to a selected threshold 
test score value TSthr (i e.. TS ^ TS,hr). even if the user 
passes at least one of the associated authentication 
tests. The threshold test score TS^hr may vary with the 
particular application for which access is sought. 
[0018] Figures 2A-2B present a flow chart illustrat- 
ing a procedure that incorporates this approach. In step 
21, the user seeks access to a particular application or 
resource. In step 23, the system determines which 

authentication mechanisms (i = 1 1) are associated 

with access to the chosen application. In step 25, the 
system determines the test score threshold associated 
with the chosen resource. In step 27, the system is ini- 
tialized, with i = 1 and TS(0) = 0. In step 29, the system 
presents the user with authentication mechanism 
number i, and the user responds to this test number i in 
step 31. In step 33, the system detemnines whether the 
user has passed authentication test number i. If the 
answer to the query in step 33 is "yes," the system sets 
ATS(i) = 1, in step 35, and passes to step 39 (Figure 
2B). If the answer to the query in step 33 is "no,", the 
system sets ATS(i) = 0, in step 37, and passes to step 

39. In step 39 (Figure 2B), the system multiplies ATS(i) 
by a weight w-, assigned to the test number i, adds the 
quantity WjATS(i) to the old sum TS(i-1) to form a new 
sum TS(i), and increments the index i (i i+l), in step 

40. In step 41, the system determines whether i satis- 
fies the condition i > l-h1 . If the answer to the query in 
step 41 is "no" the system returns to step 29 and 
repeats steps 29, 31 , 33, 39, 40 and 41 at least once. If 
the answer to the query m step 41 is "yes," the system 
moves to step 43 and compares the sum TS(I) with the 
associated threshold test score TSt^r TS(I) > TSjhp 
user access to the application is granted, in step 45. If 
TS(I) <TSthr. user access to a default subset of the 
application is granted, in step 47, where the default sub- 
set may be the empty set. 

[0019] Alternatively, the system may set a strictly 
monotonic sequence of test score threshold values, 
TSthr.i. TSthr.2. TSthr.N with TSthr.i < TSthr.2 < •••< 



TSthr.N N>1 , and may allow the user access to a 
selected subset of the full resource, depending upon 
which threshold values the user's test score equals or 
exceeds. As the user's test score TS(I) increases, the 
5 user is granted access to more and more subsets of the 
target application. 

[0020] Figures 3A-3B-3C illustrate the procedure 
according to this alternative embodiment. Steps 21-41 
in Figures 3A-3B-3C are performed as in Figures 2A-2B 

10 to compute the sum TS(I). In step 51 (Figure 3B), the 
system provides a monotonic sequence of N threshold ' 
values (N^). TSthr.i < TS^hr2 < -< TSthr.N. that will be 
used to determine what access, if any, the user may be 
granted within the application or resource. In step 53, 

15 the system is initialized by setting a counting index n = 
1 . In step 55, the system determines whether the sum 
TS(I) satisfies the condition TS(I) > TSihr.n* ^^e answer 
to the question in step 55 is "no", the system determines 
whether n = 1, in step 57 (Figure 3C). 

20 [0021] If the answer to the question in step 57 is 
-yes", the system grants the user access to a first 
default subset Sq of the application, in step 59. This first 
default subset can be the empty subset, which effec- 
tively denies the user access to any part of the applica- 

25 tion. If the answer to the question in step 57 is "no", 
corresponding to n > 1, the system grants the user 
access to a selected subset Sn-i of the application. 
[0022] If the answer to the question in step 55 is 
"yes", the system increments the count index n (n -> 

30 n+1 ), in step 63, and determines whether n satisfies the 
condition n > N-»-1 , in step 65. If the answer to the ques- 
tion in step 65 is "no", the system returns to and repeats 
step 55 at least once. If the answer to the question in 
step 65 is "yes", the system grants the user access to 

35 another default subset S^, which is optionally the entire 
application, in step 67. 

[0023] The preceding embodiments may be char- 
acterized as "bottom up" approaches, in which the sys- 
tem allows user access to a default subset of the 
40 application or resource, which may be the empty set, ini- 
tially. The system also allows access by the user to 
more and more of the application or resource as the 
user satisfies or passes more and more of the authenti- 
cation tests. 

45 [0024] In an alternative "top down" approach, illus- 
trated in a flow chart in Figures 4A-4B, the user begins 
with potential access to the entire resource or applica- 
tion and loses access to particular subsets of the 
resource as the user fails to satisfy or pass one or more 

50 of the authentication tests. In step 71, the user seeks 
access to a resource, or to a subset thereof. In step 73, 
the system provides 1 authentication mechanisms, num- 
bered i = 1, 2, ... , I (l>1) associated with that applica- 
tion. In step 75, the system is initialized at i = 1. In step 

55 77, the user is presented with authentication test 
number i, and the user responds to test number i in step 
79. In step 81 , the system determines whether the user 
has passed test number i. 
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[0025] If the answer to the query in step 81 is "yes", 
the system grants the user access to a selected 
resource subset Sj . in step 85 (Figure 4B). The systenn 
then moves to step 87 and increments the count index i 
(i -> t+1 ). In step 89, the system determines whetherthe 5 
count index i satisfies the condition i > I+l . If the answer 
to the query in step 89 is "yes" , the system moves to 
step 91 and grants the user access to the full resource 
set, or a modified or default version thereof If the answer 
to the query in step 89 is "no", the system returns and 
repeats steps 77, 79 and 81 at least once. 

[0026] If the answer to the query in step 81 is "no", 
the system grants the user access to a selected default 
subset Sj of the resource subset Sj, in step 83, and 
optionally continues with step 87, where the count index 15 
i is incremented and tested against 1+1 (Step 89);. The 
default subset Sj ^ef 'S optionally the empty set. 
[0027] At the end of the procedure(s) shown in Fig- 
ures 4A-4B, if the user has failed to satisfy or pass the 

authentication. tests number i = i1, i2 iM, among the 20 

total number I of authentication tests (0 < M < I; I > 1), 
the system allows the user access to one or more of 
certain default subsets, Sii.def . Sj2.def . SjM.def. so 
that the user now has access the union of these default 
subsets of the original "whole" resource or application 25 
set S. Each time the user satisfies or passes an authen- 
tication test, the subset of the resource to which the 
user has access is unchanged (no loss at this stage). 
[0028] Where multiple users are present, first and 
second users who seek access to different portions of a 30 
resource are optionally presented with different 
sequences of authentication tests to determine the por- 
tion of the resource to which each user will be granted 
access. For example, the first user may be presented 
with authentication tests number one, two and four for 35 
access to a first selected portion of the resource; and 
the second user may be presented with authentication 
tests number two, three, four and five for access to a 
second selected portion of the resource. Alternatively 
where the first and second users pass the same authen- 40 
tication test (e.g., test number two), the portion of the 
resource to which each is granted access may be differ- 
ent for each user. For example, the first and second 
users may be granted access to different portions of a 
given confidential document affecting national security, 45 
because these two users have different "needs to 
know." 

[0029] The resource or application to which a user 
seeks access may change from time to time. For exam- 
ple, a resource may include a collection of documents of 50 
various levels of classification (e.g., company private 
and confidential, secret and top secret at the federal 
level), and the level of authentication required for 
access may be set by the document(s) with the highest 
level of confidentiality. The federal government down- 55 
grades the classification of selected documents from 
time to time, and the authentication level required may 
be correspondingly reduced as a result of this down- 



790 A2 8 

grade, or as a result of removal of one or more docu- 
ments from the resource. Conversely, one or more 
additional documents with a higher classification level 
may be added to the resource, and this upgrade in clas- 
sification may require an increase in authentication level 
for access to the resource. 

[0030] In another alternative embodiment, one or 
more authentication levels or tests associated with a 
given resource optionally changes at a given time, pos- 
sibly as a result of change of characterization of the 
resource, or of one of more documents or other objects 
that are part of or associated with the resource. This 
change would be implemented at a time that is approxi- 
mately contemporaneous with the change in character- 
ization and would be subject to subsequent changes in 
characterization. 

[0031] The preceding embodiments may be imple- 
mented by presenting the user with a sequence of one 
or more authentication tests and requiring the user to 
affirmatively "pass" one or more of these tests, in order 
to obtain access to part or all of the resource. 
[0032] Alternatively, the user may be issued a 
smartcard containing cleartext and/or (preferably) 
encrypted responses or "keys" to I authentication tests 
(l>2), where each response may, but need not, corre- 
spond to passage of an authentication test. In this 
approach, the user presents his/her smartcard to the 
system, the system reads the card and determines 
which, if any, of the entries on the smartcard correspond 
to passage of an authentication test, and which test. 
The smartcard is read by a computer, which tracks 
which authentication tests the smartcard has "passed" 
and thereby determines a coo'esponding subset of the 
resource (which may the whole resource, a proper sub- 
set of the whole resource, or the empty set) to which the 
user has access, based on the user's smartcard score. 
Preferably, the smartcard requires specification of a 
card owner's PIN, which must correspond to the smart- 
card presented, in order to read the smartcard and 
determine its score on one or more authentication tests. 
This approach requires possession of both the smart- 
card and special knowledge (the PIN) before access to 
(portions of) a resource is granted. 
[0033] The Pluggable Authentication Mechanism 
(PAM), which provides integration of one or more 
authentication tests, is compatible with the invention. 
The PAM need not be altered, only enhanced, in order 
to implement the invention. 

Claims 

1. A method of authorization of user access to a 
selected resource, the method comprising the 
steps of: 

providing at least first and second user authen- 
tication mechanisms for authenticating a user 
who seeks access to a resource, where each 
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authentication mechanism has an associated 
numerical strength; 

providing an authentication integration proce- 
dure that assigns a relative priority to each of 
the at least first and second authentication 5 
mechanisms based on the relative strength of 
each mechanism; and 

when the user satisfies a first test associated 
with the first authentication mechanism but fails 
to satisfy a second test associated with the io 
second' authentication mechanism, authorizing 
access by the user to a selected subset of the 
resource based on the at least one test satis- 
fied by the user. 

75 

2. The method of claim 1, further comprising the step 
of authorizing access by said user to said resource 
when said user satisfies at least one test associ- 
ated with said first authentication mechanism and 
satisfies at least one test associated with said sec- 20 
ond authentication mechanism. 

3. The method of claim 1 , further comprising the step 
of denying access by said user to said resource 
when said user fails to satisfy at least one test asso- 25 
ciated with said first authentication mechanism and 
fails to satisfy at least one test associated with said 
second authentication mechanism. 

4. The method of claim 1, further comprising the step 30 
of authorizing access by said user to a selected 
default subset of said resource when said user fails 

to satisfy at least one test associated with said first 
authentication mechanism and fails to satisfy at 
least one test associated with said second authen- 35 
tication mechanism. 

5. The method of claim 1, further comprising the step 
of associating a numerical strength with each of 
said authentication mechanisms. 

6. The method of claim 5, further comprising the step 
of selecting said associated strength of at least one 
of said first and second authentication mechanisms 

to be a selected cryptographic strength. 45 

7. The method of claim 1. further comprising the step 
of causing a change in at least one of said test 
associated with said first authentication mechanism 
and said test associated with said second authenti- so 
cation mechanism at a selected time. 

8. The method of claim 7, further comprising the step 
of choosing said selected time to be approximately 
equal to a time at which said resource changes. ss 

9. The method of claim 1, further comprising the step 
of receiving at least one response from said user to 



at least one of said tests by receiving information 
from a smartcard that is programmed to provide the 
smartcard information in response to receiving a 
selected electronic command. 

10. A method of authorization of user access to a 
selected resource, the method comprising the 
steps of: 

providing I user authentication tests (l>1) for 
authenticating a user who seeks access to a 
resource; 

receiving a response from the user for each of 
the authentication tests; and 
for each authentication test that the user does 
not satisfy, withholding access to a selected 
subset of the resource from the user. 

11. The method of claim 10, further comprising the step 
of selecting at least one of said subsets to be a non- 
empty subset so that failure of said user to satisfy at 
least one of said authentication tests withholds a 
fraction of said resource to which said user has 
access. 

12. The method of claim 10, further comprising the step 
of causing a change in said test associated with at 
least one of said authentication mechanisms at a 
selected time. 

13. The method of claim 12, further comprising the step 
of choosing said selected time to be approximately 
equal to a time at which said resource changes. 

14. The method of claim 10, further comprising the step 
of receiving at least one response from said user to 
at least one of said tests by receiving information 
from a smartcard that is programmed to provide the 
smartcard information in response to receiving a 
selected electronic command. 

15. A system for authorization of user access to a 
selected resource, the system comprising a compu- 
ter that is programmed: 

to provide at least first and second user 
authentication mechanisms for authenticating 
a user who seeks access to a resource, where 
each authentication mechanism has an associ- 
ated numerical strength; 
to provide an authentication integration proce- 
dure that assigns a relative priority to each of 
the at least first and second authentication 
mechanisms based on the relative strength of 
each mechanism; and 

when the user satisfies a first test associated 
with the first authentication mechanism but fails 
to satisfy a second test associated with the 
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second authentication nnechanism, to author- 
ize access by the user to a selected subset of 
the resource based on the at least one test sat- 
isfied by the user. 

5 

16. The system of claim 15, wherein said computer is 
further programmed to authorize access by said 
user to said resource when said user satisfies at 
least one test associated with said first authentica- 
tion mechanism and satisfies at least one test asso- w 
ciated with^said second authentication mechanism. 

17. The system of claim 15, wherein said computer is 
further programmed to deny access by said user to 
said resource when said user fails to satisfy at least is 
one test associated with said first authentication 
mechanism and fails to satisfy at least one test 
associated with said second authentication mecha- 
nism. 

20 

18. The system of claim 15, wherisin said computer is 
further programmed to authorize access by said 
user to a selected default subset of said resource 
when said user fails to satisfy at least one test asso- 
ciated with said first authentication mechanism and 25 
fails to satisfy at least one test associated with said 
second authentication mechanism. 

19. The system of claim 15, wherein said computer is 
further programmed to associate a numerical 3o 
strength with each of said authentication mecha- 
nisms. 

20. The system of claim 19, wherein said computer is 
further programmed to select said associated 35 
strength of at least one of said first and second 
authentication mechanisms to be a selected crypto- 
graphic strength. 

21. The system of claim 15, wherein said computer is 40 
further programmed to cause a change in at least 
one of said test associated with said first authenti- 
cation mechanism and said test associated with 
said second authentication mechanism at a 
selected time. 45 

22. The system of claim 21 , wherein said computer is 
further programmed to choose said selected time to 
be approximately equal to a time at which said 
resource changes. so 

23. The system of claim 1 5, further comprising a smart- 
card, associated with said user, that communicates 
with said computer, that contains information 
related to at least one response from said user to at ss 
least one of said tests, and that Is programmed to 
provide the smartcard information in response to 
receiving a selected electronic command. 



24. A system for authorization of user access to a 
selected resource, the system comprising a compu- 
ter that is programmed: 

to provide I user authentication tests (l>1) for 
authenticating a user who seeks access to a 
resource; 

to receive a response from the user for each of 
the authentication tests; and 
for each authentication test that the user does 
not satisfy, to withhold access to a selected 
subset of the resource from the user. 

25. The system of claim 24, wherein said computer is 
further programmed to select at least one of said 
selected subsets, to which access is withheld, so 
that failure of said user to satisfy at least one of said 
authentication tests withholds a fraction of said 
resource to which said user has access. 

26. The system of claim 24, wherein said computer is 
further programmed to cause a change in said test 
associated with at least one of said authentication 
mechanisms at a selected time. 

27. The system of claim 26, wherein said computer is 
further prog rammed to choose said selected time to 
be approximately equal to a time at which said 
resource changes. 

28. The system of claim 24, further comprising a smart- 
card, associated with said user, that communicates 
with said computer, that contains information 
related to at least one response from said user to at 
least one of said tests, and tat is programmed to 
provide the smartcard information in response to 
receiving a selected electronic command. 

29. An article of manufacture comprising: 

a computer usable medium having corr^puter 
readable program code means emboaiie^d in 
the medium for authorizing access to a 
resource, the computer readable program code 
means in the article of manufacture compris- 
ing: 

computer readable program code means for 
providing I user authentication tests (l>1) for 
authenticating a user who seeks access to a 
resource; 

computer readable program code means for 
receiving a response from the user for each of 
the authentication tests; and 
for each authentication test that the user does 
not satisfy, computer readable program code 
means for withholding access to a selected 
subset of the resource from the user. 
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30. The article of manufacture of claim 29. further com- 
prising computer readable program code means for 
selecting at least one of said subsets so that failure 
of said user to satisfy at least one of said authenti- 
cation tests withholds a fraction of said resource to 5 
which said user has access. 

31. The article of manufacture of claim 29, further com- 
prising computer readable program code means for 
causing a change in said test associated with at 10 
least one of said authentication mechanisms at a 
selected time. 

32. The article of manufacture of claim 31 , further com- 
prising computer readable program code means for is 
choosing said selected time to be approximately 
equal to a time at which said resource changes. 

33. The article of manufacture of claim 29, further com- 
prising computer readable program means, con- 20 
tatned in a smartcard, associated with said user, 
that communicates with said computer and that is 
programmed to provide said a response from said 
user to at least one of said tests in response to 
receiving at least one selected electronic com- 25 
mand. 
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